A BIG thank you to you all for posting questions and comments! I have to run now but I promise to follow up with some of the most interesting ones later. Take care!

Before joining F-Secure, I worked for almost ten years for Finnish government. Three things I learned:

  1. Governments want that their citizens and businesses can participate the digital society in a secure fashion and in ways that respect privacy.
  2. The same governments want to introduce backdoors to encryption and bulk access to the data.
  3. Governments fail to see the irony.

I'm a Cyber Security Advisor at F-Secure. Before that I was the head of CERT-FI and Deputy Director of National Cyber Security Centre Finland. I have experienced first hand both the crazy threats and crazier pressures governments face that encourage them to ridiculous demands for ridiculous new laws.

Last month, I testified before the British Parliament on the Investigatory Powers Bill (#IPBill). I made a case that what the UK government is proposing is too much, too wide and too costly. I urged the government to rethink and scale down the powers they're demanding: http://safeandsavvy.f-secure.com/2015/12/22/britain-needs-a-fresh-start-for-privacy/

It's Data Protection Day (or Data Privacy Day in the U.S.) and I'm here to answer any questions you have about encryption, cybersecurity and data protection.

Proof: https://twitter.com/ekoivune/status/692690490530074624

Comments: 1261 • Responses: 40  • Date: 

Jux_920 karma

What can an average citizen do?

ekoivune1190 karma

There are lots of things that average citizen can do.

To begin with, good security and reasonable levels of privacy do not require big investments in terms of money. Just make sure that whatever devices it is that you use to get online are properly patched and hardened.

The biggest investment is in terms on personal time: good privacy means good operational security posture. Surf "incognito" and shy away from active content, cookies and anything that tracks you. Hide your tracks. Limit your damage by e.g. choosing individualized passwords. Spread up your online presence by setting multiple an non-linked accounts to the services you use.

Nobody can get away from network tapping but everybody can influence how much data their devices leak and send out over the wire.

Whatever you do, please have realistic view of what is your digital footprint. That determines who you have to trust, regardless of whether you want to.

mjh808348 karma

The subject reads "I know why governments want more access to your online data", how about elaborating on that?

I know the reasons are nefarious but curious about your take on it.

ekoivune392 karma

Good, thanks for the question.

Governments have a responsibility to provide us a safe and secure environment. Most of us would be terrified to know what kind of loonies and extremists walk amongst us. It is only natural that LE and counter terrorism folks want tools to not only track dangerous individuals, groups and other entities but to also identify and anticipate them.

I personally come from an CERT (as in computer security incident response) community. To some extent I can fully relate to the "collect-it-all" mindset. If your job is to trace anomalies, reconstruct timelines of past events and to provide early-warning information, it is only natural that you want to be where the data sits or flows and to be able to tap into that source. There is, however, much to be said (which I am not going to dive into now) about the mission-creep and too much focus on the haystack instead of the needle.

In my mind, the governments are doing a lousy job calculating the true costs (both in terms of monetary terms and societal effects) of forcing everybody and their cousins to collect, retain and disclose to authorities all this digital evidence. It is easy to demand unreasonable things when somebody else pays the bill. Hardly a "right to be forgotten" mentality, is it?

Where the CERT philosophy differs from the SIGINT philosophy, is that CERTs always operate with the consent of the users whose systems they tap. The SIGINT authorities "collect it all" with the orders (at best) of the national parliament or (as is the case in many countries) by the orders of the president/prime minister/king/queen. I love systems where the monitoring subject can revoke their consent at any time. :-)

I hope I was able to cover that topic. :-)

Zyzyphe219 karma

Which european country is worse and more aggressive than it looks in terms of collecting our data? And why is that?

ekoivune386 karma

UK is pretty bad and it shows. :-)

FR appears less in the public debate but - yeah - they collect lots of material in bulk.

DE has a reputation of being privacy-concious. And at the same time their intelligence services have repeatedlly been exposed of conducting something nasty.

SE was markedly open in their intentions, I give them plus on that one.

FI is now following the lead of .. yeah, whose..?

ManOfLaBook116 karma

How do governments propose to tackle the inevitable abuse of the power they want to get? Sometime those abuses happen within days of the laws taking place.

ekoivune189 karma

The system's tendency to abuse the powers it has been granted is something that the authorities have hard time acknowledging. The oversight mechanisms appear to be more of an checkbox exercise where the government tries to get away by merely stating that "we have oversight".

There is now big enough body of evidence to suggest that the so-called double-lock mechanisms, documented procedures and after-the-fact inspections are not enought. There is pronounced need for whistleblower mechanisms (and protections for the whistleblowers) as well.

One single most effective mechanism to tackle abuse of powers is to keep the authority powers at minimum. For instance, in the UK context that would mean that instead of discussing on which terms an authority can access the bulk data, there would be point in NOT COLLECTING such big amounts of data in the first place.

calon36186 karma

Have you witnessed any case of people's privacy being breached?

ekoivune117 karma

Sure I have. Just to be sure: I have not committed to such breaches. :-)

jauntylol38 karma

Would you expand?

ekoivune93 karma

I elaborate a bit more.

In my previous job at CERT-FI we regularly handled dumps of personal information gathered by datastealers and the likes. At F-Secure we do forensics on victims' computers and identify sites where leaked information is posted. So yes, I have seen my share of people's privacy being breached.

I am - and have always been - in the "victim notification business".

I like to think that as part of the solution, not the problem. :-)

howlowcanIg072 karma

I'm an IT Auditor and Cybersecurity has become a huge buzzword in the industry. I have done several Cybersecurity Audits, but I am by no means an expert in this field. I look at the CEH and CISSP areas and I can't help but feel like these certifications are running on data from 10 years ago. Is there any training or Certifications or education that I can pursue to be better prepared to better lock our doors against hackers?

ekoivune113 karma

Don't get fooled by the cybersecurity hype. Many of the principles date back from way more than ten years ago and are still relevant today. I am always delighted to hear when someone in the industry is able to get above the cacophony of buzzwords and remind us about what really matters. I, for instance, fell in love couple years ago to John Lambert of Microsoft when he - in ten tweets - summarized everything that matters in cybersecurity.

You should also familiarize yourself with standards such as NIST and FIPS (or KATAKRI in Finland) that list good practices to set up a secure system. The US NSA (their Information Assurance division) and CIS release great hardening manuals for different platforms. Lots of thought has been put into compiling such guidelines. Make good use of them and challenge you to think why any given advice has been put there.

Amidatelion42 karma

Any chance you have those tweets saved?

mynameipaul50 karma

I'm a software engineer building tools for the pen-testers and other security folk in my firm - so I'm around cybersecurity a lot. Many people in my role go on to become pen-testers and security consultants in their own right.

two questions:

  • How did you get into cyber-security?

  • Given your experience what advice would you have for a software engineer to grow their skills/knowledge, and eventually move into the cyber-security industry?

ekoivune120 karma

  • I originally started as a SysAdmin. I quickly got bored in setting up and maintaining the system so I found myself spending most of my time tweaking and hacking away. In the nature of true BOFH I found the end users an irritating distraction who kept on breaking my domain. So I experimented with limiting the user and service accounts' privileges to the bare minimum (poor users). The final straw in my SysAdmin career was an experiment where I audited the password quality for the company I used to work for. I ended up being the first person in the company's information security team and they ended up spending lots of money sending me to Def Con and RSA Conference. :-)

  • My main piece of advice: do NOT break the law. There are ways to hack stuff and develop your chops without creating a criminal record for you.

MadZaxx47 karma

What is your prediction? Which of the 2 desires by big governments will prevail eventually?

ekoivune90 karma

I have two predictions, the positive and uplifting one and the more pragmatic one.

Positive prediction: Average person's access to cyber security protections provided through the use of strong cryptography has never vwwn this good in the history of mankind. Governments cannot ban mathematics nor innovation. There is a strong civil rights sentiment in political circles that pushes for privacy protections and freedom to use good crypto.

Pragmatic prediction: For intelligence and law enforcement communities, electronic communications has been a valuable source of information all the way from the beginning of ages. They see the present situation with non-telecommunications providers providing access to secure communications just an anomaly. An anomaly that will soon be corrected.

Doodle-Cactus37 karma

Do they have Mexican food in Finland?

ekoivune47 karma

Dunno about the rest of the Finland but there are at least two ones in Helsinki downtown. I love to drink my beer from a glass with salty rim.. :-)

stefonio37 karma

How does one get into this field? I want to go into cyber security, but my university doesn't have that program at the moment, but they plan to in a couple years.

ekoivune95 karma

Cyber security is about mathematics of encryption (modular arithmetics), traffic analysis (statistics) and about the art of computability. Even though a course doesn't bear a word cyber in it, it doesn't mean that it isn't relevant for the art.

There is also much to be utilized in legal studys (heck, privacy is a legal construct) and sociological and economist studies. Not to mention military and leadership studies. Cyber security is not a separate island from the rest of the society.

I never though myself as studying cyber security or information security. I was just messing around combining tech and social studies and - all of a sudden! - I became a glorified Chief Information Security Officer. I am still amazed how easy it was to pull that off! :-)

Elefantenrennen52 karma

So basically you social engineered your way into the job?

ekoivune39 karma

I guess back in those times it was soooo much easier than it is nowadays. :-)

stegasaurusteeth21 karma

On the subject of the UK: If they were to go ahead with their Investigatory Powers Bill as it is, what would your advice be to citizens who still wanted security and privacy?

ekoivune39 karma

Contact your MP. Now! And let them know about your thoughts throughout this spring.


Hey Erka! You said that you have experienced threats. What kind of threats, and what was the most insane one? Are the threats ever gone through with?

ekoivune63 karma

Ooh, it would be easier to list places where everything is running smoothly and with zero exposure to threats.

Insane threats:

  • Critical governmental communications systems running without encryption because one senior person (of age, not rank) refused to update his comms device.

  • Corporations insisting on putting all their critical systems and networks behind one externally exposed firewall. At least one of them then proceeded to effectively add ANY:ANY rule to accept all incoming and outgoing traffic

  • Senior management seriously discussing about disconnecting themselves from the internet if they get inbound DoS attack (thus finishing the attacker's job).

Some of these either never materialized into a breach. Some gave the organizations a serious headache..

bundlednc12 karma

You are awesome! A lot of people are not concerned about privacy and security as they have the attitude of "i'm not doing anything wrong so what do I have to be afraid of" or "who would be interested in my boring life". How do you get your message across to those types of people that this is something everyone should be concerned about?

ekoivune21 karma

Our Mikko put it nicely in one his many TED talks. Something along the lines of "since you are unable to keep secrets, remind me to not trust you with them."

I maybe was at TEDxBrussels in 2014..?


squishyburger10 karma

How many beers is too many beers to work on a computer?

ekoivune22 karma

It depends. If your work is to write TO somebody, I suggest to avoid mixing computers and beer. OTOH, if you need to debug your own precious code or set up your new gear, I would recommend a drink/drinks.


Since you are from Finland, do you have any recommendations for metal bands? Perhaps some who play music related to security?

jax3rir15 karma

ekoivune26 karma

I am more like a jazz and funk kind of guy. :-) My personal favourite metal band, though, is the one where our own tech guru Mika Ståhlberg plays in. I have never heard them and it perhaps is the best to keep it that way. :---D

nikomo7 karma

How do we get the people in media to stop saying cyber?

And on a more serious note, how exactly are we supposed to protect ourselves when pretty much all our data is sitting on foreign services? I rent a dedicated server in Paris, there's so many links in between where a foreign hostile organisation could capture and analyse data.

... And milking the comment: how bad is our own government when it comes to trying to spy on us? They were on the news a bit some time back, but how would we know of any existing programs?

ekoivune11 karma

Cyber will eventually be replaced with the [NEXT ANNOYING BUZZWORD].

It should be stressed out that "foreign service" is a relative term. Your connection from your computer to a server somewhere in the same country can cross borders due to the nature of internet. Additionally, a foreign service can actually interact with you through a node in your own country, maybe even store your data there (at least for couple of milliseconds). You have some visibility to the routing topology between you and the "front-end node". Visibility to the inner workings of a cloud are denied from you.

Concentrate on figuring out what do you need protection against and seek to effectively deploy defenses for that.

replete7 karma

The title says that you know why governments want more access to your online data. What is the answer to that question exactly?

ekoivune4 karma

They want to protect others from you in case you turn out to be a terrorist.

RealInternetComment5 karma

While governments collecting data is a big problem, what can we do to stop this in the private sector, where companies are even less accountable? Seems like private companies can sell data to each other without informing the consumer. I don't really want my health insurance company to know how much time I spend at the pub!

ekoivune8 karma

In the US they maybe can. In Europe it is a totally different story. (Hello Max Schrems!)

BorisUlianov4 karma

Hi! Boris from Argentina. What are the implications of going to a TPP partnership if I use FOSS software like Ubuntu? They will be able to create closed-source packets to intercept my communications? They will be able to force me to install backdoors on my equipment?

Another question: is Tor and IceCat enough protection against censorship if our gov'n decides that we are a menace to our national security?


ekoivune20 karma

Sorry, I am not an expert on TPP negotiations. (Who is, given they are always so secret?!)

A trimmed-down and somewhat hardened browser will not provide you protection against cencorship. Used wisely, you can, however, use IceCat to limit the amount of personally identifiable information that would otherwise leak out. Tor would similarly try to anonymise you and get past geoblocking.

However, if the censoring party (your mom, your company, your government) really wants to force you to reveal yourself they can start blocking access to Tor or other VPN providers. It is, sadly, pretty easy if you have control over both the access networks and core networks.

CornyHoosier4 karma

How should Western governments prepare and defend themselves from consistently occurring intrusion attempts by state-sponsored attacks from other countries if monitoring and security programs are limited in ability and scope?

ekoivune9 karma

It is important to note that the tightly locked-down, carefully segmented and isolated systems with higher security classification do NOT get consistently breached through intrusions as we understand in the classical sense. They have, of course, been breached by insiders (hi Edward!) and whistleblowers (hi again, Edward!).

I would be last person to say that good basic security practices are outdated. I however know for a fact that these practices are not followed nearly as often as they deserve!

Efficient monitoring capability is part of good security practice but there is little point in monitoring a leaking bucket. Similarly, bad OpSec (be it from the side of users, operators or managers) quickly ruins whatever good technology that you have. The enemy knows that.

Designing, setting up, operating and maintaining a secure system is exactly the kind of boring (but noble) SysAdmin work that I started with but soon grew tired of in the beginning of my career (see my response to another question). There are not enough many SysAdmin Appreciation Days in the year to promote the best and most invisible defenders that we have.

Not_who_you_think__4 karma

I don't know if my question can be answered, but what can I do to make sure my web traffic and personal information is safe and not vulnerable when I'm on my mobile device? (iPhone 6s)

ekoivune37 karma

Give your phone to me.

SayerApp3 karma

Do you feel there is a large difference country to country in terms of what the government actually wants access to?

ekoivune6 karma

The biggest fault lines are as I see it:

  • the resources available to extract, collect, store and meaningfully analyze differ wildly b/w countries

  • the political realities set up certain upper limits to what is reasonable for a gov't to request

  • the needs differ b/w the needs of counter-intelligence, counter-terrorism, internal security, foreign intelligence, military operations, clandestine operations, diplomacy and economic development; a country that doesn't wage wars or participate in plots to overthrow foreign governments understandably has more modest needs..

Olive_truth2 karma

Are goverments intressted in gathering medical data? I can't see any security reason behind it!

ekoivune4 karma

Yes they are, and I can see many uses for that. You must widen your notion of what falls under "security".

ekoivune4 karma

To add: in Finnish language, there is only one word that means both security and safety. This is a source of much confusion, I can tell you. As it happens, Finnish authorities have collected vast amounts of medical data for reasons of safety and research. Keeping that away from attackers must be a security nightmare.

Ebatoro2 karma

How easy is it today to breach into someones personal information? Lets say social media: Facebook

ekoivune2 karma

Facebook surely tries to make it as hard as possible. They have pretty awesome mechanisms to defend against malicious use.

Their customers on the other hand.. I immediately got a headache.

painija_ukkeli2 karma

Do you know of any governments that are actually working towards private browsing and protecting their citizens from any and all entities trying to access their data? So, is there yet any exemplary government in this matter?

ekoivune3 karma

I know for a fact that US has done a remarkably good job in releasing anonymization techniques such as Tor to the wide public. :-)

Typically_Wong2 karma

So are you more of a manager side of the NetSec or engineer? Testifying would require a good amount of engineer knowledge, but more of an eloquence that a manager would need in high level positions.

How did you get to where you are now? I'm asking coming from a guy that's done networks (Sr Network Engineer currently) and has done several pentests and offensive security bits working towards my OSCP. Relearning many technical bits and I have a strong base for NetSec. Just wondering how you managed to get to where you are.

ekoivune2 karma

I am an engineer (M.Sc. (Tech)) by education, SysAdmin by experience and a hacker by heart. <3

It is correct to characterize that nowadays I talk the talk more than walk the walk. It used to be the other way around, which I am pretty proud of.

estavrak2 karma

How should Law Enforcement Authorities deal with a situation, in which they are not able to gather the required evidence to fight crime and terrorism due to the use of popular encryption tools?

ekoivune4 karma

They should do the traditional police work. That is, interrogate suspects, gather evidence, ask questions and piece the puzzle together. Many LEs already have legal authority to install "police malware" (they probably call it utility software; the UK IPBill calls it "Equipment Interference") on the suspect's endpoint device or can obtain decryption keys by hacking into the suspect's systems. It effectively circumwents whatever encryption there was on the wire. They are not even nearly going dark.

rofello2 karma

from your opinion, if the proposal accepted and executed in UK, which country will follow next? most Europe or it will be as global-scale-program/standard for all country?

ekoivune3 karma

UK is on its own league with other giants such as US, RU and CN. Such a "high levels" will not become standard but rather a benchmark against which countries with lesser capabilities compare themselves.

Spacemage2 karma

This is a bit further in the future, but it's probably that brain to brain connections will become a viable technology in some capacity. Are you aware if anyone making strides to be preemptive as far as laws protecting people's physical being and mind while being put through digital avenues?

ekoivune2 karma

Since RAND and DARPA do not draft laws, I'd assume that no one is working on that.

average_dota1 karma

Moi Erkka! Finnish-American software developer/security enthusiast here. Thanks for the AMA! My question is the following:

In the past, the USA has placed "export bans" on strong encryption. While I understand the military reasoning, it still sets a worrisome precedent. Do you foresee any future where governments ban the use of strong encryption internally?

ekoivune2 karma

Mind you, it's Erka :-)

Export bans discussion is still alive and well with the dual-use export control discussions. #Wassenaar is good hashtag to update yourself on the recent developments.

The absurd discussion on government backdoors (sometimes disguised as "frontdoors") is also experiencing a renaissance.

So, the will certainly is there.

iwouldrun500miles1 karma

When's the last time you took a sauna jumped in the lake?

ekoivune1 karma

Too long ago!